CompTIA CYSA+ CS0-002 – Analyzing Output from Vulnerability Scanners Part 2

4. Vulnerability Reports (OBJ 1.3)

Vulnerability reports. In this lesson we’re going to dig into those vulnerability reports and understand a little bit more about them. Now before we do that, we have to remember that a vulnerability report that is not validated is essentially useless. If I run the scanning tool and I take that report and I hand it into my boss, that doesn’t do my boss any good because that report has not been validated. Nobody has looked through it to see is it actually accurate. All we’ve done is trust the system and our job as analysts is to look at these reports and validate them. Now when we do that, we’re looking to look at each of those things that are found in that report and identify them as one of four categories. Are they a true positive, a false positive, a true negative, or a false negative? Now you may not understand what all of these are, but if you’ve taken Security Plus, these concepts should be familiar with.

Now, for many students, this is an area that confuses them. They don’t understand the difference between these four categories and it’s really important that you understand them. Now I covered this in depth in Security Plus, but I’m going to go through it again here because it really is an important concept. In fact, on the exam they may give you some issues, some things from a security report and ask you to classify them as true positive, false positive, true negative, or false negative. If you don’t understand the concepts, you’re not going to be able to get that right. So let’s talk about them first. True positive. What is a true positive? Well, this is an alert that matches a vulnerability and that vulnerability actually exists on the system you scanned. So this is something that really happened.

So what I like to think about when I think about these four categories is I like to think about pregnancy. Because if you’re married and you’ve tried to have kids before, you probably have gone through taking a pregnancy test at some point in your life. Either you or your spouse has. For me, it was my spouse who had to take them. But the same concept is there. And so if we look at that, it makes it really easy to understand. For instance, I have two children. That means at least twice in my life my wife had taken a pregnancy test and she showed me the results and it was positive. The test said it was positive. That means it was positive. And then she actually was pregnant. She had a baby inside of her. So therefore it was a true positive. That’s the idea of a true positive.

So in terms of cybersecurity, if you have some bad thing on the network and your sensor detected that bad thing and reported on it, that’s a true positive. That’s what we want to see. We want our tools to be giving us true positives. Those are the most helpful for us because we know there’s a bad thing and we now know it really exists. Now the next one we have is what’s called a false positive. This is when an alert matches a vulnerability and reports on it. But when you look at that system the vulnerability doesn’t exist. So going back to my pregnancy example, my wife thought it would be really funny when she was taking the pregnancy test to have me take one too. And so she had me do the little urine test and of course it came back negative, right? Well if it showed up positive then that would mean it was a false positive because I’m a guy.

There’s no way that I can be pregnant, right? I’m just not going to have that capability because I don’t have the body parts to do that. And so that would be a false positive if I had a test that showed positive. But it was my test because I’m a guy. So going back to our computers, if we’re thinking about something, I scan a computer and it says you have a Windows vulnerability on this system and I look at that system and it’s a Linux or a Macintosh system. Well those systems aren’t running Windows operating system so therefore I can’t have a Windows vulnerability on a Mac system. So that would be a false positive. We can mark that off in our system and say ignore that, we understand it’s not really real. That’s the idea of a false positive.

Now when you’re dealing with false positives, the problem with them is that they are very time consuming because I now have to go investigate them and I start wasting a lot of resources. So if I had 50 things pop up that told me there was Windows vulnerabilities across my network and I start going and looking at each of those machines and then I find out out there’s no Windows on that machine, that’s a false positive and I wasted time looking at each of those 50 things. Now what can you do if you start getting a lot of false positives? Well, one of the things you can do is you can start adjusting your scans to a more appropriate scope. Maybe I’m going to have one scope of all my Windows machines and another scope for all my Linux machines and another scope for all my Mac machines.

That way I can quickly identify false positives based on operating system because of the use cases of those areas. Another thing you can do is create a new baseline for a heuristic scan. If you’re using a heuristic scanning engine a lot of those will generate more false positives. Signature base tends to be a little bit more accurate. So if you’re getting a lot of false positives and you’re using heuristics, go ahead and create a new baseline because obviously your baseline is so out of date from what you’re currently doing it’s creating a lot of false positives for you. Another thing you might want to do is add the application to an exception list. For instance, if there’s a particular application on my system that is throwing up that report and giving me that flag, I might say, hey, I understand I’m running Microsoft Word on this particular Mac machine, but it doesn’t mean I’m running Word for Windows.

So I can put an exception in there to ignore that report every time it comes up. Another thing you might find is that the vulnerability really does exist on that system, but that vulnerability isn’t really exploitable. Now, what do I mean by this? Maybe I really do have Windows on that system because I’m running a virtual machine, but there’s a firewall in place that no inbound or outbound connections can get to it. So therefore it’s protected and therefore we can say that thing is not exploitable and we can move on. That’s just a silly example, but you get the idea here. Now, when you’re dealing with this and you start dealing with exceptions because you have a vulnerability that exists but isn’t exploitable or an application that you want to do exceptions on, this falls under the idea of exception management.

Now, exception management is a defined process to closely monitor systems that cannot be patched or remediated and must be accepted from those scans.Now, the reason we have exception management is because otherwise you would be buried in these false positives all of the time. There are things that would require a valid exception, but again, a thinking analyst needs to go through them, figure out if they should be an exception, and then follow the process to get them added to that exception list. The next category we have is what’s known as a true negative. This occurs when an alert is not generated because there is no matching vulnerability on that system. So going back to my pregnancy example, I am a man. If I take one of those tests, I expect it to be negative.

If the test comes back negative, that is a true negative. I have a negative result, and I am truly not pregnant because I’m a man and I am not pregnant. Same thing on cybersecurity. For instance, if I scan Windows vulnerabilities against my Mac system, I expect those results to come back negative. There should be nothing found in that report because if I’m scanning a Mac system for Windows vulnerabilities, I should find nothing because there is no Windows environment there for it to scan. That would be a true negative. That’s a good thing. Now, the other side of this is what we call a false negative. This is something that’s actually really scary for us in the cybersecurity world. When we talk about a false negative.

This is an alert that is not generated even though there’s a matching vulnerability on the system. So if I go back to my pregnancy example this would be a really sad case. There’s a couple who’s been trying to have a baby. They take a pregnancy test and it comes back negative. And they’re really sad because they think they’re not pregnant. And they’ve been trying for months and months. A couple more weeks go by and then we find out that the woman actually is pregnant. Well, she actually was pregnant the whole time, but the test didn’t generate a result for it because it didn’t detect it. That’s what we’re talking about here with a false negative. She got a negative result, but she was actually pregnant the whole time. That is a false negative.

Now, when we talk about this in the cybersecurity world, we talk about false negatives, meaning that there is a potential vulnerability in that system, or there’s a missing patch that hasn’t been installed and it’s not being identified during scanning. That’s what makes these so dangerous. The problem here is you don’t know you’re vulnerable because your report says you’re not vulnerable. But yet there’s vulnerabilities that really do exist on the system. So this is actually probably the worst of these four cases. So something to keep in mind as you’re going through and working as a cybersecurity analyst. Now, what can you do to mitigate the threat of these false negatives? Well, one of the things you can do is run repeated scans. Maybe your scanner was having a bad day and it just didn’t catch it.

So maybe you’ll want to run another scan and it catches it the second time. Or you might use different scan types or even a different scanner. So maybe I tried scanning it with Nessus and it didn’t pick it up, but now I’m going to scan it with Qualis and that one did pick it up or something of that nature. Another thing you might want to do is use different sensitivities. Maybe you are running it in safe mode. Now you’re going to run it in not safe mode, which will allow you to do more exploitation there and find additional vulnerabilities that weren’t found the first time. Another thing you can do is use a different scanner. Like I said, we switch from Nessus to OpenVAS or Openvoss to Qualis or Qualis to Nickdo or whatever we want to do.

We can use a different scanner and that might give us a better result. Now, we’ve done all of our scanning. We understand our four types of classifications. Let’s start validating our scan reports. When you run a scan, you’re going to get a scan report and they look something like this. They’ll give you a nice report with an executive summary, different vulnerabilities by host, and then details on each of those vulnerabilities so you can look at them and then validate them. So once we have our report, we have to validate that report. And there are four things we’re going to do to validate it.

First, we’re going to reconcile the results second, we’re going to correlate results with other sources. Third, we’re going to compare them to best practices. And fourth, we’re going to identify exceptions. So first, we want to reconcile these results because the scanners can misinterpret the information that they’re receiving from their probes. Again, this is the idea of making sure we identify things as truly positive, false positives, truly negative, or false negatives, and being able to categorize these things as we reconcile those results. That is a big part of a cybersecurity analyst job. Second, we want to correlate the scan results with other data sources, and we do this by reviewing related system and network logs.

So if I went and did a scan and says, hey, you have a vulnerability, port 80 is open on this workstation, I’m going to go look at that workstation and verify if port 80 is open. And if it is open, is it supposed to be open? Because maybe they are running a web server there and they were allowed to do that. If they were, then that might be something we want to add an exception to. Now, the third thing we want to do is compare the results to best practices. This allows us to determine if there’s a high priority or a low risk associated with this particular finding. Sometimes the findings in your report are going to be informational. It might say something like the best practices not to run web servers from a workstation. You should only do this from a server based environment like Windows Server 2019.

If that’s the case, you’re going to have to look at that and say, yeah, I understand that, but my organization wants to run this web server on Windows Ten. And if that’s what they want to do and they’ve accepted the risk, then that’s an acceptable thing to do. Just make sure you note it. And that brings us to our fourth category, which is identifying exceptions. Any findings whose risk has been accepted or transferred by the organization can be added to your exception list. This way those same things don’t show up week after week and month after month. This will allow your reports to be smaller in size, quicker to reconcile in the future, and you’re not bringing up the same issues to management over and over again that they’ve already made decisions on.

5. Nessus (OBJ 1.4)

Nessus. In this lesson, we are going to start talking about a vulnerability scanner, and this one is Nessus. Now, Nessus is a commercial vulnerability scanner that’s produced by Tenable network security for onpremise and cloudbased vulnerability scanning. Now, Nessus is a great product and as a home user, you are free to download it and use it on your home network free of charge, with even including an unlimited subscription. Now, if you’re going to use it in a business environment, you do have to pay for it though, because it is considered a commercial piece of software. And so if you want access to their subscription service, which has all the latest plugins that have all the vulnerabilities that you need to test for, you do need to have a subscription if you’re using it under a commercial license.

But for us as home users, and you want to start getting practice with a vulnerability scanner, I definitely recommend downloading Nessus and start scanning your own network, start getting used to what it looks like to run these scans and identify vulnerabilities within your own home networks. There is no cost to do so and it will really help you out on the exam. Now, when we talk about plugins, Nessus uses plugins and these are created using what’s known as the Nessus Attack scripting language. Each of these plugins, there’s one for every single vulnerability that it’s going to test. So as you look at the plugins for Windows, there are hundreds of vulnerabilities in Windows and there are plugins for each one of those. That is essentially the signatures that Nessus is using to test those vulnerabilities across the network.

Now, when you run a NESA scan, you’re going to get something that looks like this. Once the scan is done, this will give you your scan results. And now as you start looking at these results, it makes it really easy from this dashboard to identify what is vulnerable. For instance, just looking here on this screen, which do you think is the most vulnerable host that has the most amount of issues that I would want to look at first? Would it be Win Seven accounts or marketing? It’d be Win Seven, right, because it has the most critical and the most high and the most overall, in fact. And so that Windows Seven machine is the most vulnerable of these three machines. Now, does that mean it holds the most danger? Well, maybe, maybe not. Depends what’s that machine being used for.

Again, the accounting machine might have all of our bank account numbers and all of our credit card processing data, in which case it would be more of a vulnerability for me to go after based on data criticality. So that’s why you can’t just take these numbers at their word. You have to look into them and use your brain to figure out what is most important. Now, from this screen, you can actually click into that number 18, where those criticals are and see a list of all the critical findings. And you can see here all of these were critical. You’ll see the plugin name, the plug in family, and the amount of count that we have. So the top one there is actually a count of three. We only scan three workstations, so that means all three of them have this vulnerability.

As I look further down the list, I see some that only have one count, which may be only on the Windows Seven machine and not on accounts or not on marketing. And so this is the idea of how you can start going through these reports and figuring out where you need to focus your attention. If I have something that has a three count, in this case, because I had three pieces on the network, that tells me that every machine is affected by this, which means it’s pretty vulnerable. I have a very large attack surface, so I would want to look into that, figure out is there a way for me to protect ourselves from this, whether that means blocking something at the firewall, installing a software patch, or something of that nature. Now, if you want to get even more details, you can click into one of those.

For instance, let’s go ahead and click into that first one that affects all three machines. As I click into that, I get a lot more details. So going from the top down, we’re going to see this is a critical vulnerability. It is Microsoft 1534. Now, Nessus is not showing me the CVE number here, they’re showing me the knowledge base article number. So if I went to Microsoft’s website and went to Ms 1534, there’s a patch that I can download and install to protect my systems based on that number. It’ll give me a short description what this vulnerability is, what the solution is. In this case, there’s a patch from Microsoft. Go download and install it, and then a direct link to the tech article for that knowledge base over on Microsoft’s website where I can download it.

It’ll also show me what the output is that NASA expects to see when it tries to probe for this and any other information. As you go down, as you look at the bottom, it actually tells you what ports were being used on this test and which hosts. And that’s where my screen got cut off. But you can see accounts. That machine was one that was being affected. On the right side, you can see the details about this plug in. You could see it’s a critical severity, you could see a unique ID number. You could see what version it is, whether it’s a local type or a network type, if it’s going to be in which type of family. In this case, it’s Microsoft Windows knowledge based articles, those bulletins, and then when it was published and when it was modified, you can also see some risk information. This is a critical risk factor.

The CVSS score here is 10. 0, which is the highest it could be, right? The temporal score is an 8. 7, so it’s been out for a while. So it is less severe at this point because it’s older information and most people have been patched to it. As you go down to vulnerability information, you see some information about that as well, such as is there an exploit available? And if there are, that means it’s going to be more of a risk to you. So you want to make sure you take care of that. At the bottom you can see exploit with Core Impact. Now, what is core impact? Well, Core Impact is a commercially available penetration testing tool suite. Now, if Core Impact has a penetration test exploit for this, that means most hackers do too. So if it’s already there with Core Impact, that means it is widely available.

Anyone can hack this. So this is something I want to fix right away because this is a big vulnerability for us. Now, in addition to looking at all this information within Nessus, I can actually go outside of Nessus and look up information on this vulnerability too. For example, if I go to Sans, I can get some information from the Infosec forums on this particular knowledge base article. Again, we can see this is a big vulnerability. It has that big red and yellow text there highlighted on the screen. It says we have seen this out in our Honey Pots. Their honey pots are on the Internet. So if they’re seeing it, it means there’s exploits in the wild. This is something we want to get fixed. So this would be a bad vulnerability that we need to start prioritizing to patch our systems and get ourselves corrected on this. That’s the idea of how you can look at these reports inside of Nessus and how you can use this information to make decisions.

Now, for the exam, you don’t need to memorize specific vulnerabilities like the one I showed you here in this lesson or Eternal Blue that I showed you before. But you do need to be able to read and think through a report or a snippet like what I showed you in this lesson. It would be completely fair on the exam to include something like a vulnerability scanner’s findings with a short report with one or two items and a description of those vulnerabilities and possible fixes. And then they can ask you to prioritize, which should be mitigated first. And how in this example I just showed you, you could see it would be a critical vulnerability. There’s an exploit that existed for it and a patch exists. So this would be something that would be a high priority for us to remediate. And we can do that by installing the software patch or update from the manufacturer, in this case Microsoft.

• Category: Uncategorized